CVE-2022-48919

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix double free race when mount fails in cifsgetroot()

When cifsgetroot() fails during cifssmb3domount() we call deactivatelockedsuper() which eventually will call delayedfree() which will free the context. In this situation we should not proceed to enter the out: section in cifssmb3do_mount() and free the same resources a second time.

[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcucblistdequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0

[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 [Thu Feb 10 12:59:06 2022] Call Trace: [Thu Feb 10 12:59:06 2022] <IRQ> [Thu Feb 10 12:59:06 2022] dumpstacklvl+0x5d/0x78 [Thu Feb 10 12:59:06 2022] printaddressdescription.constprop.0+0x24/0x150 [Thu Feb 10 12:59:06 2022] ? rcucblistdequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] kasanreport.cold+0x7d/0x117 [Thu Feb 10 12:59:06 2022] ? rcucblistdequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] asanload8+0x86/0xa0 [Thu Feb 10 12:59:06 2022] rcucblistdequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] rcucore+0x547/0xca0 [Thu Feb 10 12:59:06 2022] ? callrcu+0x3c0/0x3c0 [Thu Feb 10 12:59:06 2022] ? _thiscpupreemptcheck+0x13/0x20 [Thu Feb 10 12:59:06 2022] ? lockisheldtype+0xea/0x140 [Thu Feb 10 12:59:06 2022] rcucoresi+0xe/0x10 [Thu Feb 10 12:59:06 2022] _dosoftirq+0x1d4/0x67b [Thu Feb 10 12:59:06 2022] _irqexitrcu+0x100/0x150 [Thu Feb 10 12:59:06 2022] irqexitrcu+0xe/0x30 [Thu Feb 10 12:59:06 2022] sysvechypervstimer0+0x9d/0xc0 ... [Thu Feb 10 12:59:07 2022] Freed by task 58179: [Thu Feb 10 12:59:07 2022] kasansavestack+0x26/0x50 [Thu Feb 10 12:59:07 2022] kasansettrack+0x25/0x30 [Thu Feb 10 12:59:07 2022] kasansetfreeinfo+0x24/0x40 [Thu Feb 10 12:59:07 2022] _kasanslabfree+0x137/0x170 [Thu Feb 10 12:59:07 2022] _kasanslabfree+0x12/0x20 [Thu Feb 10 12:59:07 2022] slabfreefreelisthook+0xb3/0x1d0 [Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520 [Thu Feb 10 12:59:07 2022] cifssmb3domount+0x149/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3gettree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfsgettree+0x52/0x140 [Thu Feb 10 12:59:07 2022] pathmount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] _x64sysmount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] dosyscall64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entrySYSCALL64after_hwframe+0x44/0xae

[Thu Feb 10 12:59:07 2022] Last potentially related work creation: [Thu Feb 10 12:59:07 2022] kasansavestack+0x26/0x50 [Thu Feb 10 12:59:07 2022] _kasanrecordauxstack+0xb6/0xc0 [Thu Feb 10 12:59:07 2022] kasanrecordauxstacknoalloc+0xb/0x10 [Thu Feb 10 12:59:07 2022] callrcu+0x76/0x3c0 [Thu Feb 10 12:59:07 2022] cifsumount+0xce/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] cifskillsb+0xc8/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] deactivatelockedsuper+0x5d/0xd0 [Thu Feb 10 12:59:07 2022] cifssmb3domount+0xab9/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3gettree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfsgettree+0x52/0x140 [Thu Feb 10 12:59:07 2022] pathmount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] _x64sysmount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] dosyscall64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entrySYSCALL64after_hwframe+0x44/0xae